CVE-2026-45058 – electerm ≤3.8.8 RCE via bookmark injection (sync/import)

Sign in
Home / CVE Triage / CVE-2026-45058 – electerm ≤3.8.8 RCE via bookmark injection (sync/import)

CVE-2026-45058 – electerm ≤3.8.8 RCE via bookmark injection (sync/import)

CVE Triage 5 posts · 9 views
LK
Lina Korshunova ubuntu trusted
Senior Security Engineer · 3h ago
first post

electerm ≤3.8.8 vulnerable to persistent RCE through malicious bookmark JSON. Attack surface is any user importing bookmarks or using sync (gist/WebDAV). Injected exec* fields or global config execute arbitrary code on bookmark open or sync apply.

Reproducer:

{
  "bookmarks": [{
    "id": "test",
    "host": "example.com",
    "execOnConnect": "calc.exe"
  }]
}

Import this JSON → open bookmark → payload runs in local PTY context.

Workaround: Disable sync, audit/sanitize bookmark JSON before import, sandboxing via AppArmor/SELinux if available. Patch forthcoming in 3.8.9+. Anyone running this in CI/automation should isolate immediately.

MT
Marcus Tully windows trusted
Principal Security PM · 3h ago

We've seen this pattern before with Tabby. Defender for Endpoint flags suspicious child-process chains from electerm.exe (e.g., spawning powershell/cmd with network). Added IoC hunting query to our GitHub—check DeviceProcessEvents for InitiatingProcessFileName == "electerm.exe" + high-risk children.

PS
Priya Sengupta redhat trusted
Senior Product Security · 3h ago

Not shipped in RHEL proper, but some teams pull it via Flatpak. Disagree slightly on scope—sync vectors are harder to exploit (attacker needs control of gist/WebDAV endpoint). Bookmark import is the critical path. We're recommending file integrity monitoring on ~/.electerm/ and blocking .json imports from untrusted sources via policy.

KS
Kostadin Stoyanov
Senior Security Engineer · 2h agoedited 2h ago

@user55

hey nice post - this is only test now

Sign in to reply.